Water Labbu Malware targets scammers to steal their bad crypto
by Arthur · October 6, 2022
It’s a dog food world for crypto scammers.
New reports have just revealed how a person identified crypto scammers to rob them of their ill-gotten funds.
Crypto scammers often use social engineering techniques to interact with victims and convince them to part with their hard-earned money. Scammers do this either by sending funds directly to scammers or by providing the permissions needed to access wallets.
Water Labbu, the name of the person who robbed the fraudsters, allegedly exploited a similar method to steal cryptocurrencies and obtained access permissions to the victim’s wallets. However, they did not use any form of social engineering, leaving the dirty work to the original scammers.
Instead of creating its own scam websites, Water Labbu compromised the websites of other scammers posing as legitimate decentralized applications (dApps) and injected malicious JavaScript code into them.
Lurking in the shadows, Water Labbu patiently waited for valuable victims to connect their wallet to a scam dApp, before injecting a JavaScript payload into the website to steal the money.
Nothing changed for the original scammer’s victims – they were still robbed. The only difference is that Water Labbu started grabbing crypto from the scammers, transferring the funds to their own wallet.
“The request is disguised to look like it was sent from a compromised website and asks for permission to transfer an almost unlimited amount of USD Tether from the target’s wallet,” says Trend Micro’s report.
Water Labbu makes off with more than $300,000
In one identified case, the malicious script lost USDT from two addresses, exchanging them on the Uniswap exchange – first to USDC stablecoin and then to Ethereum (ETH) – before sending the ETH funds to the Tornado Cash mixer.
The report also noted that Water Labbu used different methods for different operating systems. For example, if the victim loaded the script from a desktop running Windows, it returned another script that displays a fake Flash update message asking the victim to download a malicious executable.
Trend Micro said that Water Labbu had compromised at least 45 scam websites, most of them following the so-called “lossless mining liquidity pledge” model, which law enforcement authorities warned about earlier this year.
According to security analysts, the profits made by Water Labbu are estimated to be at least $316,728 based on transaction records from nine identified victims.
